An Interview with Michael Kleck, Director of Compliance and Information Security at Alchemer.
Today we’re talking to Michael Kleck, Director of Compliance and Information Security at Alchemer about Alchemer’s recent ISO 27001 certification.
What is ISO 27001 Certification and what does it mean?
Michael: ISO 27001 certification demonstrates that an organization like Alchemer has invested in the people, processes, and technologies to protect their customers’ data. It provides an independent, expert assessment of whether an organization is protecting their customers’ data at the highest levels.
Getting ISO 27001 Certified was a big deal for Alchemer. What was the process behind the scenes?
Michael: Earning an ISO 27001 Certification is a major commitment. It takes time, money, and a lot of effort. So you have to make this commitment as a company, because everybody will be involved. You really must want to do this.
The first step was to conduct a self-review. This meant comparing the ISO 27001 requirements to what we were actually doing. We looked at where we were and what we were missing. This gap analysis gave us a pretty clear plan for remediation, so we knew what we had to do.
Can you talk about the remediation process?
Michael: The remediation process is about building whatever is missing. In our case, we needed to create some new processes, procedures, and even add some technologies. It also involves correctly organizing your team so that everybody knows and understands their roles and responsibilities.
Once we put everything in place, we needed to document it for the auditors. There are three parts to passing the certification: you need to do all of the right things for data security, confidentiality, integrity and availability; document that you are doing those things; and then prove that you are doing everything you documented. In other words, say what you do, and do what you say.
When do you engage the auditor?
Michael: Some companies engage an auditor to help with the gap analysis. We chose to engage with the auditor once we felt that we had addressed the gaps we had discovered. The auditor came in and asked a lot of questions about our processes, procedures, and technologies. Then they interviewed our staff and reviewed our documentation.
Once they felt they had enough information, they wrote a report and sent it to the standards committee. The committee reviewed and evaluated the report, and certified it.
How many people were involved in earning the certification?
Michael: Everybody on staff had to be involved at some level through training and testing. Even our vendors had to complete risk assessments. Every month, we require our entire employee base to complete training and pass one or more tests to show their understanding of their role in keeping our clients’ data safe. On the InfoSec side, Brett Gedvilas led the effort. He put in the long hours for several months to remediate our gaps and to document everything for the auditor.
What does this mean to Alchemer?
Michael: ISO 27001 is an internationally recognized standard that gives us recognition worldwide showing Alchemer complies to a stringent security framework. It means that people and other companies can trust us with their data and their business. It also says that we are a major player, not a start-up, because the investment in achieving an ISO 27001 certification is quite significant.
Does ISO 27001 Certification affect GDPR and CCPA?
Michael: ISO 27001 expands upon our GDPR and CCPA efforts. The ISO 27001 Certification addresses our security framework, risk management, and data confidence, while GDPR and CCPA apply to data privacy. However, you can’t have data privacy without having top-flight data security. Alchemer offers both.
What does ISO 27001 Certification mean to our customers?
Michael: It means that the safety and security of our clients’ data is our primary concern. It’s what our business and reputation are built on. So, we go the extra mile to adhere to these standards, to prove that we adhere to these standards, and to prove that our clients’ data is safe.
It also lets our clients know that our entire team – all the way to the C-Level executives – are intimately involved in the security and integrity of our systems and processes. And that everybody throughout the organization takes data security very seriously.